Design Principles to Secure Application Development, Deployment and Maintenance.
As part of our Best Practice series, we have pulled together and summarised the key design principles that should be included in your Application Development, Deployment and Maintenance project. These are ideal to use as part of any project design checklist, as part of your Design Assurance activity, or as a checklist during building out your backlog’s of Epics in your Agile process.
The best way to implement these design principles is to integrate them in the software development life cycle (SDLC) process: including secure coding standards into the development process, conducting security testing during development, and developing a secure deployment plan. Development teams should ensure that they are aware of the latest security trends and practices and have access to the latest security tools, and regularly review their applications to ensure that any vulnerabilities are addressed.
The key design principles we have selected for securing application development :-
1. Secure by Design: Secure by design is the concept of ensuring that security measures are built into the application from the beginning of its development. This includes implementing authentication, authorisation, and access control measures, as well as input and output validation.
2. Defence in Depth: Defence in depth is the approach of using multiple layers of defence to protect the application. This includes measures such as encryption, firewalls, and authentication to ensure that only authorised users can access the system.
3. Least Privilege: Least privilege is the principle of granting users only the minimum access necessary to perform their tasks. This helps to reduce the risk of unauthorised access and data leakage.
4. Separation of Duties: Separation of duties is the practice of assigning different tasks to different individuals or teams to prevent one person from having too much control over the system.
5. Security Testing: Security testing is the process of testing an application for vulnerabilities before it is released. This includes penetration testing, code review, and vulnerability scanning.
These design principles are ideal to use at the Design, Build, Test and Deploy stages of the Application delivery life-cycle. They help drive a number of Best Practices, and controls that should be considered and adopted as appropriate ( to your requirement ).
In the related Best Practice technical guide, Security Checklist for NodeJS Development Design Assurance], we explore the range of technical controls that support these Principles, looking at the processes your Full Stack/NodeJS development life-cycle should include during the software development life cycle.
* * *
References: OSWAP is a great source, that we thoroughly recommend.
For more Blogs and Posts on ‘Best Practices’, ‘Security’ and Architecture : https://www.cloud-dog.com/blogs/
Twitter: https://twitter.com/garyseymour
